Bug 1399314 - [RFE] Allow non-equality comparisons for uid and gid fields
Summary: [RFE] Allow non-equality comparisons for uid and gid fields
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 1420851 1476406
TreeView+ depends on / blocked
 
Reported: 2016-11-28 18:07 UTC by emahoney
Modified: 2021-06-10 11:42 UTC (History)
3 users (show)

Fixed In Version: audit-2.8-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:18:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0760 0 None None None 2018-04-10 12:20:10 UTC

Description emahoney 2016-11-28 18:07:58 UTC 
Description of problem:

Currently you can only use non-equality comparisons for \timestamp, \timestamp_ex and \record_type. Allowing non-equality comparisons will allow users of audit-viewer to put in values such as UID >= 500 rather than having to one-by-one do UID =500, UID =501 ... etc. 

Here is the response from the maintainter:
~~~
ausearch-expression(5) says
Evaluate  the  "value" of field, and compare it to value.  A "value" may be defined for any field or virtual field, but no "value" is currently defined for any audit record field. … If field does not define a "value", an error is reported when parsing the expression.

i.e. non-equality comparisons of anything but \timestamp, \timestamp_ex and \record_type are not currently possible.
~~~


Steps to Reproduce:
1.Enter value in audit-viewer as a non-equality expression UID > 500
2.
3.

Actual results:
When you use a value like UID > 500 it errors out


Expected results:
Returns audit for UIDs greater than 500. 

Additional info:
N/A
Comment 3 Steve Grubb 2017-10-09 12:48:16 UTC 
Fixed in upstream commit c661ba7.
Comment 4 Steve Grubb 2017-10-09 12:50:42 UTC 
Test program to check this feature:

#include <stdio.h>
#include <auparse.h>
#include <stdlib.h>

#define LOG "./audit.log"

int main(void)
{
        auparse_state_t *au;
        char *error = NULL;
        char expr[1024];

        snprintf(expr, sizeof(expr),
                "(auid >= 500 && auid <= 5000)"); 
                //"(\\record_type >= 1130 && \\record_type <= 1140)");

        au = auparse_init(AUSOURCE_FILE, LOG);
        if (ausearch_add_expression(au, expr, &error, AUSEARCH_RULE_CLEAR)) {
                fprintf(stderr, "Criteria error: %s\n", error);
                free(error);
        }
        while (ausearch_next_event(au) > 0) {
                int i_auid, serial;
                const char *auid;
                int type = auparse_get_type(au);
                auid = auparse_find_field(au, "auid");
                if (auid) {
                        i_auid = auparse_get_field_int(au);
                        serial = auparse_get_serial(au);
                        printf("type:%d, auid:%d serial:%d\n",
                                        type, i_auid, serial);
                }
        }
        auparse_destroy(au);
        return 0;
}
Comment 5 Steve Grubb 2017-10-10 19:59:56 UTC 
audit-2.8-1.el7 was built to resolve this issue.
Comment 10 errata-xmlrpc 2018-04-10 12:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760
Note You need to log in before you can comment on or make changes to this bug.